Description

A focused course, tailored for you

The CPS 230 Third Party Risk Playbook

Build the APRA-ready material service provider framework your board can sign off on.

Your CPS 230 MSP register has the providers listed. What it is missing is the exit strategy documentation that would satisfy an APRA examiner on day one. Exit runbooks, data portability timelines, and board-approved tolerance statements for critical operations are what separate a register from a compliant TPR program.

$199 one-time

Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

CPS 230 replaced CPS 231 and raised the bar significantly. The new standard requires exit strategies for every material service provider, annual board attestation, fourth-party risk visibility, and concentration analysis calibrated to critical operation tolerance levels. Most TPR teams built their register under the old outsourcing rules and now have a framework that meets the letter of CPS 231 but not the architecture of CPS 230. The gap shows up when APRA asks: show me the exit plan for your core banking infrastructure provider. The answer cannot be 'engage procurement.' It must be a documented runbook, a tested portability timeline, and a board resolution confirming the tolerance window. That documentation kit takes time to build correctly, and the standard does not publish templates. This course does.

What you walk away with

Apply the CPS 230 materiality test to classify and tier every third-party arrangement in your portfolio.
Build and maintain the MSP register format that passes APRA supervisory scrutiny, with every required data field populated and version-controlled.
Draft compliant exit strategy documentation for each material service provider, including the operational runbook, data portability timeline, and board tolerance statement.
Construct a fourth-party risk disclosure process that captures sub-contractor dependencies in cloud and outsourced environments.
Write the annual board risk report that satisfies CPS 230's governance requirement in the format APRA expects to see.

The 12 modules

Module 1. CPS 230 Scope and the Material Service Provider Test

CPS 230 replaces CPS 231 and changes how materiality is determined for third-party arrangements. This module walks through the two-limb test that defines a material service provider: whether disruption would affect a critical operation, and whether the service is material to the entity's ability to manage risk. Includes worked examples covering cloud infrastructure, professional services, and market data providers that sit in the grey zone.

Module 2. Building the MSP Register That Passes APRA Scrutiny

The MSP register is not a spreadsheet. This module covers the minimum data fields APRA expects, how to tier providers by criticality, when a change in service scope triggers re-assessment, and the version-control discipline that survives a supervisory visit. Includes the register template with pre-mapped columns for CPS 230 compliance, with guidance on migrating legacy outsourcing registers into the new structure without losing the history examiners will ask for.

Module 3. Inherent Risk Profiling for Financial Services Vendors

Third-party risk scoring in financial services must account for dimensions beyond information security. This module covers the inherent risk profiling methodology calibrated for banking contexts: operational risk, financial viability, concentration risk, geopolitical exposure, and sub-contractor dependency. Includes the worked rubric from a prudential review setting showing how scores are weighted and how to document the rationale when examiners ask why a provider was tiered a certain way.

Module 4. Due Diligence Templates: Initial Assessment and Annual Review

Structuring due diligence questionnaires that satisfy both CPS 230 and CPS 234 in a single workflow. Covers SOC 2 Type II equivalence, penetration test evidence standards, BCP test result requirements, and sub-contractor disclosure obligations. Includes guidance on handling vendor refusals without creating a compliance gap in your own register, and how to document the outcome when a provider declines to provide the evidence your standard requires.

Module 5. Contractual Risk Minimums Under CPS 230

CPS 230 specifies the contractual provisions APRA expects in material service provider agreements. This module walks through the ten minimum clauses: right to audit, data handling obligations, incident notification timelines, sub-contracting restrictions, and exit provisions. Includes a contract gap-analysis tool for use against existing agreements, with a prioritised remediation list for the clauses most likely to surface in a supervisory review of your legal documentation.

Module 6. Exit Strategy Documentation: Runbook, Portability, and Tolerance

An exit strategy that says 'notify procurement' fails the CPS 230 test. This module builds the complete exit documentation set: the operational runbook covering manual workarounds for each critical operation, the data portability timeline showing how long recovery takes, and the board-approved tolerance statement defining the maximum acceptable disruption window. Includes the template used to brief a Risk Committee on the exit readiness of each material provider.

Module 7. Critical Operations Mapping and Dependency Analysis

CPS 230 requires regulated entities to map critical operations to the third-party services that underpin them. This module covers the dependency mapping methodology, how to identify single-vendor concentration points, and how to present that concentration to the board in a format that supports the tolerance statement. Includes a worked example of a banking critical operation mapped across its primary, secondary, and fourth-party dependencies.

Module 8. Fourth-Party Risk: Sub-contractors and Cloud Supply Chains

CPS 230 extends to material sub-contractors. In cloud-dependent operating models this creates a multi-tier dependency chain that most TPR registers do not capture. This module covers the disclosure requirement, the tiered assessment approach for cloud infrastructure chains including shared-responsibility model implications, and the evidence package APRA expects when it asks about the vendors your primary providers rely on to deliver their service.

Module 9. Continuous Monitoring Without Dedicated Per-Vendor Headcount

Ongoing monitoring scaled to a large MSP register without adding headcount for each provider. This module covers the trigger-based review schedule calibrated to provider risk tier, automated financial health signals you can configure without specialist tooling, incident notification workflows that feed the TPR register, and the annual attestation calendar that keeps governance current without requiring a full manual audit of every provider each year.

Module 10. Board and Executive Reporting That Meets CPS 230 Governance

The board risk report that satisfies CPS 230's governance requirements differs from a standard risk dashboard. This module covers the format and cadence APRA expects: concentration metrics surfacing single-point dependencies, heat maps calibrated to critical operation tolerance levels, material incident summaries with root-cause attribution, and the forward-looking attestation the board must approve at least annually under the standard.

Module 11. Regulatory Engagement and Supervisory Visit Preparation

What happens when APRA commences a supervisory review of your TPR function. This module covers the document pack examiners typically request, how to present your MSP register and due diligence files, the common gaps APRA finds in large financial institutions' TPR programs, and how to structure responses when examiners follow up on specific providers. Based on the CPS 230 prudential practice guide and supervisory expectations published since the standard took effect.

Module 12. Target Operating Model for a Mature TPR Function

Moving from reactive vendor assessments to a risk-proportionate TPR function. This module covers team structure and role definitions for a scaled TPR program, tooling selection criteria for third-party risk platforms, integration points with procurement, InfoSec, and business continuity, and the three-stage maturity progression from register-building through to embedded monitoring. Includes the target operating model one-pager used to brief a new Group Risk Officer on the current state of the function.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Your CPS 230 implementation is approaching the board attestation deadline and the MSP register still has exit strategy gaps for critical operation providers.

APRA has commenced a supervisory review and requested your TPR framework, MSP register, and supporting due diligence documentation.

A new material service provider has been onboarded and your existing due diligence process does not cover all CPS 230 requirements for their service category.

The Group Risk Committee has asked for a concentration risk report and your TPR data is not structured to answer the question at the critical operation level.

What you get with this course

12 written modules covering CPS 230 scope through TPR target operating model
Downloadable MSP register template with all APRA-required fields pre-mapped
Exit strategy documentation kit: operational runbook, data portability timeline, and board tolerance statement templates
Due diligence questionnaire templates for initial assessment and annual review
Board paper template for the annual CPS 230 governance sign-off
Contract gap-analysis tool for use against existing material service provider agreements
Hand-built implementation playbook delivered alongside course access

What you will have in hand by Day 1, Week 1, Month 1

Course access and the hand-built implementation playbook are provisioned within 24 hours of purchase.

The full 12-module sequence is designed for completion over six weeks at two modules per week.

Each module is a standalone reference you can return to when a specific assessment, board paper, or supervisory response is due.

Before and after

Before

An MSP register built for CPS 231 that lists providers and contract dates, with exit strategies that say 'identify alternative providers' and due diligence files that are complete for some providers and partially complete for others. Board reporting covers vendor count but not concentration or critical operation tolerance.

After

A CPS 230-compliant TPR framework with tiered providers, complete exit strategy documentation for every material service provider, fourth-party visibility into cloud infrastructure chains, and board papers that meet APRA's annual governance expectation in the format examiners expect to see.

What happens if you do not address this

An APRA supervisory review that finds incomplete exit strategies or undocumented fourth-party dependencies results in a formal remediation program, which occupies the TPR team for months and creates ongoing regulatory scrutiny. Concentration findings that surface at board level without a preceding risk report create governance accountability questions that are difficult to resolve after the fact.

Who it is for

Third-party risk managers and TPR analysts at APRA-regulated entities who are responsible for implementing or maintaining compliance with CPS 230. Most relevant to those managing a register of 20 or more material service providers, preparing for a supervisory engagement, or building the board governance layer for the first time. Experience with the prior CPS 231 outsourcing standard is helpful but not required.

Who this is NOT for. Professionals at non-APRA-regulated entities, or those working in vendor management roles rather than risk-focused third-party assessment. Also not for those seeking a general introduction to third-party risk without a specific regulatory framework to implement.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Two modules per week over six weeks. Each module is designed to take 45-60 minutes, including time to work through the included templates and apply them to your own register.

Why $199 is the right number

APRA's CPS 230 prudential practice guide publishes requirements but not implementation templates. Legal reviews of the standard clarify the obligations without building the documentation kit. External consulting engagements address the framework but cost significantly more and do not leave the team with transferable skills. This course builds the capability in-house, with templates you own and can update as the standard is reviewed.

FAQ

Does this cover CPS 230 specifically or the old CPS 231 outsourcing standard?

CPS 230, which replaced CPS 231 for all APRA-regulated entities. Module 1 covers how the materiality criteria changed and what that means for arrangements that were not classified as material outsourcing under the prior standard.

How is the implementation playbook different from the course modules?

The modules build the methodology and the skill. The implementation playbook is built for your role, your register size, and the specific CPS 230 gaps that surface in your assessment process. Gerard builds it within 24 hours of purchase.

Is this relevant if I am already partway through a CPS 230 implementation?

Yes. Each module is a standalone reference. Most practitioners use the exit strategy module and the fourth-party risk module first, because those are where implementation programs most often stall.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.